Compare commits
1 Commits
main
...
chore/runn
| Author | SHA1 | Date | |
|---|---|---|---|
963af6ca56
|
@@ -1,68 +0,0 @@
|
||||
name: bump-stacks
|
||||
description: |
|
||||
Push the new short sha for a stack into libretech/gitops-sandbox/stacks.yml.
|
||||
Idempotent: a no-op when the sha is already pinned. Retries up to 3× on
|
||||
non-fast-forward to absorb concurrent bumps from sibling stack repos.
|
||||
|
||||
inputs:
|
||||
stack:
|
||||
description: stack name (key under `stacks:` in stacks.yml)
|
||||
required: true
|
||||
sha:
|
||||
description: short git sha (7 chars) of the image tag just pushed
|
||||
required: true
|
||||
bot_token:
|
||||
description: PAT with write:repository on libretech/gitops-sandbox
|
||||
required: true
|
||||
sandbox_repo:
|
||||
description: orchestrator repo slug
|
||||
required: false
|
||||
default: libretech/gitops-sandbox
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- shell: bash
|
||||
env:
|
||||
STACK: ${{ inputs.stack }}
|
||||
SHA: ${{ inputs.sha }}
|
||||
BOT_TOKEN: ${{ inputs.bot_token }}
|
||||
SANDBOX_REPO: ${{ inputs.sandbox_repo }}
|
||||
ACTION_PATH: ${{ github.action_path }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
WORK=$(mktemp -d)
|
||||
cd "$WORK"
|
||||
git config --global user.name "gitops-bot"
|
||||
git config --global user.email "gitops-bot@librete.ch"
|
||||
|
||||
REPO_URL="https://oauth2:${BOT_TOKEN}@git.librete.ch/${SANDBOX_REPO}.git"
|
||||
for attempt in 1 2 3; do
|
||||
rm -rf clone
|
||||
git clone --depth=2 "$REPO_URL" clone
|
||||
cd clone
|
||||
[ -f package.json ] || echo '{"type":"module","dependencies":{"yaml":"^2.6.1"}}' > package.json
|
||||
bun install --silent
|
||||
|
||||
set +e
|
||||
bun "$ACTION_PATH/bump.js" "$STACK" "$SHA"
|
||||
rc=$?
|
||||
set -e
|
||||
if [ "$rc" = "10" ]; then
|
||||
echo "::notice::stacks.yml already at sha=$SHA, no commit"
|
||||
exit 0
|
||||
fi
|
||||
[ "$rc" = "0" ] || exit "$rc"
|
||||
|
||||
git add stacks.yml
|
||||
git commit -m "bump(${STACK}): sha=${SHA}"
|
||||
if git push origin main; then
|
||||
echo "::notice::pushed bump for ${STACK} to ${SANDBOX_REPO}"
|
||||
exit 0
|
||||
fi
|
||||
echo "push rejected, attempt ${attempt}/3"
|
||||
cd ..
|
||||
sleep $((attempt * 3))
|
||||
done
|
||||
echo "::error::could not push bump after 3 attempts"
|
||||
exit 1
|
||||
@@ -1,29 +0,0 @@
|
||||
#!/usr/bin/env bun
|
||||
// Edit stacks.yml in the gitops-sandbox checkout to pin a new sha for `stack`.
|
||||
// Exit 10 = no-op (already at sha). Exit 0 = mutated, ready to commit.
|
||||
import { readFileSync, writeFileSync } from "node:fs";
|
||||
import { parseDocument } from "yaml";
|
||||
|
||||
const [, , stack, sha] = process.argv;
|
||||
if (!stack || !sha) {
|
||||
console.error("usage: bump.js <stack> <sha>");
|
||||
process.exit(2);
|
||||
}
|
||||
|
||||
const doc = parseDocument(readFileSync("stacks.yml", "utf8"));
|
||||
const stacks = doc.get("stacks");
|
||||
if (!stacks?.has(stack)) {
|
||||
console.error(`stack '${stack}' not in stacks.yml`);
|
||||
process.exit(2);
|
||||
}
|
||||
|
||||
const node = stacks.get(stack);
|
||||
const oldSha = node.get("sha");
|
||||
if (String(oldSha) === String(sha)) {
|
||||
console.log(`no-op: ${stack} already at sha=${sha}`);
|
||||
process.exit(10);
|
||||
}
|
||||
|
||||
node.set("sha", sha);
|
||||
writeFileSync("stacks.yml", doc.toString());
|
||||
console.log(`bumped ${stack}: ${oldSha} → ${sha}`);
|
||||
@@ -1,76 +0,0 @@
|
||||
name: deploy-stack
|
||||
description: |
|
||||
SSH to netcup, pull the pinned image, restart the stack via docker compose.
|
||||
Each stack repo holds its own SSH key; the netcup `authorized_keys` line
|
||||
is forced-command-locked to that stack's directory.
|
||||
|
||||
inputs:
|
||||
stack:
|
||||
description: stack name (cosmetic, used in deploy-marker file)
|
||||
required: true
|
||||
target:
|
||||
description: absolute path on netcup, e.g. /srv/gitops-hello
|
||||
required: true
|
||||
image:
|
||||
description: full image ref including tag, e.g. git.librete.ch/libretech/gitops-hello:sha-abc1234
|
||||
required: true
|
||||
ssh_key:
|
||||
description: private SSH key (PEM, multi-line ok)
|
||||
required: true
|
||||
ssh_host:
|
||||
description: netcup hostname, e.g. cloud.librete.ch
|
||||
required: true
|
||||
ssh_user:
|
||||
description: netcup user, e.g. tengo
|
||||
required: true
|
||||
registry:
|
||||
description: registry hostname for docker login
|
||||
required: true
|
||||
registry_user:
|
||||
description: registry username
|
||||
required: true
|
||||
registry_pass:
|
||||
description: registry PAT
|
||||
required: true
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- shell: bash
|
||||
env:
|
||||
STACK: ${{ inputs.stack }}
|
||||
TARGET: ${{ inputs.target }}
|
||||
IMAGE: ${{ inputs.image }}
|
||||
SSH_KEY: ${{ inputs.ssh_key }}
|
||||
SSH_HOST: ${{ inputs.ssh_host }}
|
||||
SSH_USER: ${{ inputs.ssh_user }}
|
||||
REGISTRY: ${{ inputs.registry }}
|
||||
REGISTRY_USER: ${{ inputs.registry_user }}
|
||||
REGISTRY_PASS: ${{ inputs.registry_pass }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
umask 077
|
||||
mkdir -p ~/.ssh
|
||||
printf '%s\n' "$SSH_KEY" > ~/.ssh/id_deploy
|
||||
chmod 600 ~/.ssh/id_deploy
|
||||
ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts 2>/dev/null
|
||||
|
||||
SSH="ssh -i ~/.ssh/id_deploy -o BatchMode=yes ${SSH_USER}@${SSH_HOST}"
|
||||
|
||||
# The forced-command on netcup's side is parameterised by the
|
||||
# original command, so we send a single-line script via stdin.
|
||||
$SSH bash -s <<EOF
|
||||
set -euo pipefail
|
||||
cd "$TARGET"
|
||||
echo "$REGISTRY_PASS" | docker login "$REGISTRY" -u "$REGISTRY_USER" --password-stdin
|
||||
# Pin the image for compose via a stack-local .env file.
|
||||
# HELLO_IMAGE / <STACK_UPPER>_IMAGE etc. — generic env name pattern.
|
||||
STACK_UPPER=\$(echo "$STACK" | tr a-z A-Z)
|
||||
printf '%s_IMAGE=%s\n' "\$STACK_UPPER" "$IMAGE" > .env.deploy
|
||||
docker compose --env-file .env.deploy pull
|
||||
docker compose --env-file .env.deploy up -d
|
||||
# Write deploy marker — read by drift checks + observability.
|
||||
printf '%s\n' "image=$IMAGE" "deployed_at=\$(date -u +%Y-%m-%dT%H:%M:%SZ)" > .deployed
|
||||
EOF
|
||||
|
||||
echo "::notice::deployed ${STACK}: ${IMAGE}"
|
||||
@@ -1,9 +1,7 @@
|
||||
# Example build.yml for a libreshop component repo.
|
||||
# Copy to .gitea/workflows/build.yml in the consuming repo.
|
||||
# Copy to .gitea/workflows/build.yml and remove the "on:" override below.
|
||||
#
|
||||
# Lives outside .gitea/workflows/ on purpose — Gitea would auto-run it
|
||||
# here against this repo (which has no Dockerfile) and the build would
|
||||
# fail every time.
|
||||
# Replace the existing multi-step build.yml with these ~20 lines.
|
||||
|
||||
name: build
|
||||
|
||||
Reference in New Issue
Block a user